Hello Alexander, I've created a fresh IPA VM as: ipaserver.subdomain.domain.abc123
I've then created 2 new zones: domain.abc123 domain02.abc123 along with host entries for: host01.domain.abc123 host02.domain02.abc123 domain.abc123 does NOT serve. domain02.abc123 serves properly. I've uploaded the logs to: http://instinctual.io/ipa_dns_problem.zip Additionally you can see more info below. Thank you. [root@ipaserver ~]# ipa dnsserver-find -------------------- 1 DNS server matched -------------------- Server name: ipaserver.subdomain.domain.abc123 SOA mname override: ipaserver.subdomain.domain.abc123. Forwarders: 8.8.8.8, 9.9.9.9 Forward policy: only ---------------------------- Number of entries returned 1 ---------------------------- [root@ipaserver ~]# ipa dnszone-show domain.abc123 --all dn: idnsname=domain.abc123.,cn=dns,dc=subdomain,dc=domain,dc=abc123 Zone name: domain.abc123. Active zone: True Authoritative nameserver: ipaserver.subdomain.domain.abc123. Administrator e-mail address: hostmaster SOA serial: 1691527770 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant SUBDOMAIN.DOMAIN.ABC123 krb5-self * A; grant SUBDOMAIN.DOMAIN.ABC123 krb5-self * AAAA; grant SUBDOMAIN.DOMAIN.ABC123 krb5-self * SSHFP; Dynamic update: False Allow query: any; Allow transfer: none; nsrecord: ipaserver.subdomain.domain.abc123. objectclass: top, idnsrecord, idnszone [root@ipaserver ~]# dig @ipaserver.subdomain.domain.abc123 host01.domain.abc123 ; <<>> DiG 9.16.23-RH <<>> @ipaserver.subdomain.domain.abc123 host01.domain.abc123 ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27117 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: b069cd5202410b030100000064d2aae579c12b1d0b769bab (good) ;; QUESTION SECTION: ;host01.domain.abc123. IN A ;; Query time: 2 msec ;; SERVER: 10.55.2.2#53(10.55.2.2) ;; WHEN: Tue Aug 08 13:51:49 PDT 2023 ;; MSG SIZE rcvd: 77 [root@ipaserver ~]# nslookup host01.domain.abc123 ipaserver.subdomain.domain.abc123 Server: ipaserver.subdomain.domain.abc123 Address: 10.55.2.2#53 ** server can't find host01.domain.abc123: SERVFAIL [root@ipaserver ~]# dig @ipaserver.subdomain.domain.abc123 host02.domain02.abc123 ; <<>> DiG 9.16.23-RH <<>> @ipaserver.subdomain.domain.abc123 host02.domain02.abc123 ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58676 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 1bd570e5dd3340280100000064d2aaf58c5886a84c70ed89 (good) ;; QUESTION SECTION: ;host02.domain02.abc123. IN A ;; ANSWER SECTION: host02.domain02.abc123. 86400 IN A 10.55.4.4 ;; Query time: 1 msec ;; SERVER: 10.55.2.2#53(10.55.2.2) ;; WHEN: Tue Aug 08 13:52:05 PDT 2023 ;; MSG SIZE rcvd: 95 [root@ipaserver ~]# nslookup host02.domain02.abc123 ipaserver.subdomain.domain.abc123 Server: ipaserver.subdomain.domain.abc123 Address: 10.55.2.2#53 Name: host02.domain02.abc123 Address: 10.55.4.4 _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue